Hello, Researcher!


We take security, privacy, and transparency seriously.

Cloudflare appreciates your effort to help us all build a better, more secure Internet.

Spotting Security Issues

If you have discovered a vulnerability in Cloudflare or another serious security issue, please submit it to our bounty program hosted by HackerOne.

Your Cloudflare Account

For password and login problems, if you think your account has been "stolen," or other issues with your Cloudflare account, please visit our support site.

Cloudflare Vulnerability Disclosure Policy

Maintaining the security, privacy, and integrity of our products is a priority at Cloudflare. Therefore, Cloudflare appreciates the work of security researchers in order to improve our security posture. We are committed to creating a safe, transparent environment to report vulnerabilities.

If you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to report this right away. We will investigate all legitimate reports and fix the problem as soon as we can. We ask that you follow Cloudflare’s Vulnerability Disclosure Policy, HackerOne’s Disclosure Guidelines, and make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service during your research.

Scope

Services that Cloudflare provides or any Cloudflare product, including Cloudflare workers, are in scope. An exception is support.cloudflare.com which is hosted by Zendesk. Particular research focus areas can be found on the Cloudflare HackerOne profile as they are available.

The following conditions are out of scope for the Vulnerability Disclosure Program. Any of the activities below will result in disqualification from the program permanently.

  • Customers of Cloudflare or non Cloudflare sites behind our infrastructure.
  • Any vulnerability obtained through the compromise of a Cloudflare customer or employee accounts.
  • Missing Best Practice, Configuration or Policy Suggestions.
  • Any Denial of Service (DoS) attack against Cloudflare and our products.
  • Physical attacks against Cloudflare employees, offices, and data centers.
  • Social engineering of Cloudflare employees, contractors, vendors, or service providers.
  • Knowingly posting, transmitting, uploading, linking to, or sending any malware.
  • Pursuing vulnerabilities which send unsolicited bulk messages (spam) or unauthorized messages.

Eligibility and Disclosure

In order for your submission to be eligible:

  • You must agree to our Vulnerability Disclosure Policy.
  • You must be the first person to responsibly disclose an unknown issue.

All legitimate reports will be reviewed and assessed by Cloudflare’s security team to determine if it is eligible.

As mentioned in our Privacy and Security Policy, Cloudflare's website and services are not intended for, or designed to attract, individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13.